6 U-Boot Vulnerabilities Let Attackers Hijack Boot Process

U-Boot FIT image signature verification vulnerabilities CVE Binarly bootloader exploit firmware

Malicious firmware can seize control of a device before Linux starts. It can remain nearly invisible to security software running at the OS level. Researchers at Binarly discovered six vulnerabilities in U-Boot. The open-source bootloader is used by routers, servers, industrial systems, and a vast range of IoT devices.

Why U-Boot Flaws Are So Dangerous

U-Boot is one of the first components to execute when a device powers on. It initializes hardware and then hands control to the operating system. A flaw at this early stage gives an attacker a critical window. It allows interference before antivirus software, monitoring agents, or any other security mechanism loads.

Where the Bugs Were Found: FIT Image Signature Verification

The vulnerabilities reside in the code responsible for verifying digital signatures on FIT images. FIT stands for Flattened Image Tree. U-Boot uses the FIT format to package the Linux kernel, device configuration, and other firmware components. Verified Boot is supposed to check the signature and reject any modified image. However, the vulnerable code begins parsing file contents before the authenticity check completes. A specially crafted image can therefore trigger a crash before the bootloader finishes its check. It can also corrupt memory before the signature is determined to be invalid.

Six Flaws: Two Enable Code Execution, Four Cause DoS

Two of the vulnerabilities can, under certain conditions, enable arbitrary code execution within the bootloader context. The remaining four cause denial of service and can leave a device unbootable. Underlying flaws include stack corruption, out-of-bounds memory reads, null pointer dereferences, insufficient offset validation, and unbounded recursion.

BRLY-2026-038 — CVSS 6.8 (Most Critical)

This flaw causes a stack buffer underflow during signature verification. Researchers assess that an attacker could overwrite control data and achieve code execution before the operating system launches.

BRLY-2026-037

This vulnerability typically causes the bootloader to crash. However, under favorable memory layouts, it may also lead to code execution.

What a Successful Attack Enables

A successful attack grants control at the earliest stage of the boot sequence. At that level, malicious code can alter the component start order. It can also disable individual security checks or install a persistent firmware implant. Security tools inside the operating system receive control only after this damage is done. They therefore struggle to detect such threats.

Attack Scenarios

Exploitation requires delivering a crafted firmware image to the target. In many scenarios, an attacker would need either physical access or prior control over the firmware update mechanism. However, local presence is not always necessary. Server baseboard management controllers and certain network devices support remote firmware updates. An attacker who compromises the administrative interface can push a malicious image over the network.

Scope: 50+ U-Boot Releases Potentially Affected

Much of the vulnerable code dates back to U-Boot 2013.07. Binarly estimates the flaws could affect more than 50 stable releases. Numerous vendor-modified builds embedded in proprietary firmware images are also at risk. A definitive list of affected devices does not yet exist. This gap exists because of the enormous number of independent U-Boot builds maintained by hardware manufacturers.

Patch Status and What Users Must Do

Binarly reported the vulnerabilities to the U-Boot maintainers in May 2026. Patches have been merged into the mainline project. However, updating the bootloader alone is not sufficient for most users. Router, server, and embedded device manufacturers must incorporate the patches into their own firmware builds. They must then release updates through official channels. Older devices without ongoing support may never receive a fix.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Leave a Reply